Hi,
I need help to use a function that concatenates a parameter with a static value within a remediation rule.
I have the following custom Conformance Pack, where I want to define the AutomationAssumeRole as a parameter.
Parameters:
ParamAutomationAssumeRole:
Default: ComplianceRemediation
Type: String
Resources:
Ec2SecurityGroupAttachedToEni:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: ec2-security-group-attached-to-eni
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: EC2_SECURITY_GROUP_ATTACHED_TO_ENI
Ec2SecurityGroupAttachedToEniRemediation:
DependsOn: Ec2SecurityGroupAttachedToEni
Type: "AWS::Config::RemediationConfiguration"
Properties:
ConfigRuleName: ec2-security-group-attached-to-eni
ResourceType: "AWS::EC2::SecurityGroup"
TargetId: "AWSConfigRemediation-DeleteUnusedSecurityGroup"
TargetType: "SSM_DOCUMENT"
TargetVersion: "1"
Parameters:
GroupId:
ResourceValue:
Value: "RESOURCE_ID"
AutomationAssumeRole:
StaticValue:
Values:
Fn::Sub:
"arn:aws:iam::${AWS::AccountId}:role/${ParamAutomationAssumeRole}"
Based on this doc, I could use the "Fn::Sub:" function, but the Conformance Pack deployment fails with the following error:
I'm not sure what I'm doing wrong here. Any help is much appreciated.
Thanks!